杀毒方法见我签名
建议先用暴力删除工具删除病毒文件并抑制再生;再处理病毒的注册表
修改注册表[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<shell><Explorer.exe,22.exe> [(Verified)Microsoft Windows Component Publisher]
<Userinit><C:\WINDOWS\system32\userinit.exe,> [(Verified)Microsoft Windows Publisher]
为
<shell><Explorer.exe> [(Verified)Microsoft Windows Component Publisher]
<Userinit><C:\WINDOWS\system32\userinit.exe,> [(Verified)Microsoft Windows Publisher]
修改注册表
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<AppInit_DLLs><msspcyn.dll tennfs.dll fackwir.dll welyri.dll offecao.dll theralte.dll>
为 <AppInit_DLLs><>
并删除文件
C:\windos\system32\msspcyn.dll
C:\windos\system32\tennfs.dll
C:\windos\system32\fackwir.dll
C:\windos\system32\welyri.dll
C:\windos\system32\offecao.dll
C:\windos\system32\theralte.dll
删除启动项
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]下注册表项目及对应dll文件
<{00050005-0005-0005-0005-00050005BB15}><C:\WINDOWS\system32\cliconfgzx.dll> []
<{000F087F-4378-545F-74FA-37D345AD7A8C}><C:\WINDOWS\system32\mttwfh.dll> []
<{841529CB-7F77-4B99-A895-B5441E0D302F}><C:\WINDOWS\system32\jfrwdh.dll> []
<{C0595A7E-2E2F-4B34-A83A-019270A0A464}><C:\WINDOWS\system32\tdffdl.dll> []
<{8C41B7F7-3168-400D-A702-0E7EFE0BA304}><C:\WINDOWS\system32\sgdewg.dll> []
<{A9895933-6636-4281-BC58-EE6DE2AF96E3}><C:\WINDOWS\system32\ddserh.dll> []
<{45AADFAA-DD36-42AB-83AD-0521BBF58C24}><C:\WINDOWS\system32\zycdex.dll> []
<{17DFD111-BF3A-4CB4-ADB0-88FCBFE69821}><C:\WINDOWS\system32\hhrdxd.dll> []
<{E8A3B193-77E3-4FB3-986D-F4FA4828BAFC}><C:\WINDOWS\system32\wklsdd.dll> []
<{28766E1C-74B0-4417-8C75-F12AE309EF35}><C:\WINDOWS\system32\wzcfsw.dll> []
<{00150015-0015-0015-0015-00150015BB15}><C:\WINDOWS\system32\jmtsyhdp.dll> []
<{00120012-0012-0012-0012-00120012BB15}><C:\WINDOWS\system32\kbdswjr.dll> []
<{00060006-0006-0006-0006-00060006BB15}><C:\WINDOWS\system32\dispexcb.dll> []
<{00030003-0003-0003-0003-00030003BB15}><C:\WINDOWS\system32\bootvidgj.dll> []
<{00010001-0001-0001-0001-00010001BB15}><C:\WINDOWS\system32\adsntzt.dll> []
<{50A8A8C4-EDC9-4ABD-A0A2-2E2418982189}><C:\WINDOWS\system32\kgfghd.dll> []
<{00300030-0030-0030-0030-00300030BB15}><C:\WINDOWS\system32\imgutilhx2.dll> []
<{00250025-0025-0025-0025-00250025BB15}><C:\WINDOWS\system32\slbiopfs2.dll> []
删除启动项
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]下注册表项目及对应dll文件
<cliconfgzx.dll><C:\WINDOWS\system32\cliconfgzx.dll> []
<jmtsyhdp.dll><C:\WINDOWS\system32\jmtsyhdp.dll> []
<kbdswjr.dll><C:\WINDOWS\system32\kbdswjr.dll> []
<dispexcb.dll><C:\WINDOWS\system32\dispexcb.dll> []
<bootvidgj.dll><C:\WINDOWS\system32\bootvidgj.dll> []
<adsntzt.dll><C:\WINDOWS\system32\adsntzt.dll> []
<imgutilhx2.dll><C:\WINDOWS\system32\imgutilhx2.dll> []
<slbiopfs2.dll><C:\WINDOWS\system32\slbiopfs2.dll> []
删除以下驱动及对应文件
[fllypvo / fllypvo][Running/Boot Start]
<C:\windos\system32\drivers\fllypvo.sys><>
[IIS Manager / IIS Manager ][Stopped/Manual Start]
<\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\1.tmp><N/A>
[HiddFldy / HiddFldy][Running/Auto Start]
<\??\C:\WINDOWS\system32\d32dx9.sys><N/A>
删除浏览器加载项
[]
{09BA8F6D-CB54-424B-839C-C2A6C8E6B436} <, >
[]
{3049C3E9-B461-4BC5-8870-4C09146192CA} <, >
[]
{35980F6E-A137-4E50-953D-813BB8556899} <, >
[]
{78ABDC59-D8E7-44D3-9A76-9A0918C52B4A} <, >
[]
{95B3F550-91C4-4627-BCC4-521288C52977} <, >
[]
{A986E409-30CC-4185-89BB-AB212C104524} <, >
[]
{EE60714F-AC17-427E-861A-FD60CBDF119A} <, >
[]
{FB5DA724-162B-11D3-8B9B-AA70B4B0B524} <, >
并搜索
22.exe,找到后删除
自己查下,下面这个很可疑
C:\WINDOWS\TB0BD1UP.SCR
http://www.virscan.org/http://www.virustotal.com/zh-cn/最后重装瑞星,并用Windos清理助手,完美卸载清理大堆的流氓软件
